Access Control

There are numerous commonalities that can be addressed with access control.The purpose of access control is to ensure that only authorized individuals or processes acting on your behalf can access your digital systems. Companies need a formal documented access control policy.

The access control policy should address:
1. Account Management – manages and documents accounts (authorizing, establishing, activating, modifying, reviewing, disabling, and removing).
2. Access Enforcement – enforce authorizations in accordance with documented policies.
3. Information Flow – authorizes the flow of information between interconnected systems, regulate where information can travel.
4. Separation of functions – ensures the division of responsibilities to prevent conflicts of interest, no one person has power over all activitie Least Privilege – assign users the minimum set of rights they need.

 

Access Control is.

Access Control is a set of controls to restrict access to certain resources. If we think about it, access controls are everywhere around us. A door to your room, the guards allowing you to enter the office building on seeing your access card, swiping your card and scanning your fingers on the biometric system, a queue for food at the canteen or entering your credentials to access FB, all are examples of various types of access control. Here we focus only on the logical Access Control mechanisms.

There are two main types of access control: physical and logical. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access limits connections to computer networks, system files and data

Access Control Mechanisms

Discretionary Access Control (DAC)
As the name suggests, this access control model is based on a user’s discretion. i.e, the owner of the resource can give access rights on that resource to other users based on his discretion. Access Control Lists (ACLs) are a typical example of DAC. Specifying the “rwx” permissions on a unix file owned by you is another example of DAC Most of the operating systems including windows, flavours of unix are based on DAC Model.

Mandatory Access Control (MAC)
In this Model, users/owners do not enjoy the privilege of deciding who can access their files. Here the operating system is the decision maker overriding the user’s wishes. In this model every Subject (users) and Object (resources) are classified and assigned with a security label. The security labels of the subject and the object along with the security policy determine if the subject can access the object. The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies.

This is a stricter and rather static Access Control model as compared to DAC and is mostly suited for military organizations where data classification and confidentiality is of prime importance. Special types of the Unix operating systems are based on MAC model.

Role Based Access Control (RBAC)
RBAC is the buzzword across enterprises today. In this model the access to a resource is governed based on the role that the subject holds within an organization. RBAC is also known as non-discretionary Access Control because the user inherits privileges that are tied to his role. The user does not have a control over the role that he will be assigned. Each of the above Access Models has its own advantages and disadvantages. The selection of the appropriate Access Model by an organization should be done by considering various factors such as type of business, no of users, organization’s security policy etc.

As the no of users and the resources grow in an organization, it becomes extremely difficult to manage user’s access rights through ACLs. It not only increases the cost of administration but also results in granting of excess privileges to users thus violating the least privilege principle and hence exposing the organization to risks. Moreover, the complexity involved with this approach makes it too hard for any organization to comply with the regulatory compliances.

So in organizations where the no of users and the employee turnover is large, RBAC is the optimum solution for Access Control. By having privileges tied to roles, and users being assigned to these roles, makes it much simpler for an organization to manage the access to its resources. RBAC also fastens the employee on-boarding & de-boarding process by tying the provisioning/de-provisioning to the roles.

 

 

Security Threats

Viruses

A virus is a program or code that replicates itself onto other files with which it comes in contact; that is, a virus can infect another program, a boot sector, a partition sector, or a document that supports macros by inserting itself or attaching itself to that medium. Most viruses only replicate, although many can do damage to a computer or to the user’s data as well. Unlike worms, which are discussed, viruses generally require human action to propagate.

Boot viruses:
Since the code in the boot sector is executed automatically, boot sectors have historically been a common attack vector for computer viruses.
These viruses infect floppy disk boot records or master boot records in hard disks. They replace the boot record program (which is responsible for loading the operating system in memory) copying it elsewhere on the disk or overwriting it. A Boot virus is loaded into memory when the system tries to read the disk while it is booting.
Examples: Form, Disk Killer, and Stone virus

Program viruses: 

These infect executable program files, such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk.
Examples: Sunday, Cascade

Multipartite viruses:

A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then starts infecting other program files on disk.
Examples: Invader, Flip, and Tequila

Stealth viruses:
These viruses use certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory.
Examples: Frodo, Joshi, Whale

Polymorphic virus

A polymorphic virus is a piece of code that is characterized by the following behavior – Encryption, Self-multiplication and changing of one or more components of itself so that it remains elusive. It is designed to avoid detection as it is capable of creating modified, copies of itself.

Thus, a polymorphic virus is self-encrypted malicious software that has the tendency to change itself in more than one way before multiplying onto the system. Since it changes its components properly and is encrypted, the polymorphic virus can be said to one of the intelligent malware that is hard to detect. Because by the time your anti-virus detects it, the virus has already multiplied after changing one or more of its components

Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101

Macro Viruses: 

A macro virus is a computer virus written in the same macro language used for software applications like word processors.  Because macro programs embedded in these documents run automatically when the document is opened, it is a likely mechanism to spread viruses.

When you open a word processing or spreadsheet document, the macro virus is activated .Since this virus attaches itself to documents, the infection can spread if such documents are opened on other computers.
Examples: Melissa, DMV, Nuclear, Word Concept.

Retrovirus:

Retrovirus is another type virus which tries to attack and disable the anti-virus application running on the computer or some other destroys the virus definition database.

Reference books for Cyber Security AUC-002

  1. Charles P. Pfleeger, Shari LawerancePfleeger, “Analysing Computer Security ”, Pearson Education India.
  2. 2. V.K. Pachghare, “Cryptography and information Security”, PHI Learning Private Limited, DelhiIndia.
  3. 3.Dr. Surya PrakashTripathi, RitendraGoyal, Praveen kumarShukla ,”Introduction to Information Security and Cyber Law” Willey Dreamtech Press.
  4. 4. Schou, Shoemaker, “ Information Assurance for the Enterprise”, Tata McGraw Hill.
  5. 5. CHANDER, HARISH,” Cyber Laws And It Protection ” , PHI Learning Private Limited ,Delhi ,India

Syllabus Cyber Security AUC-002

UNIT-1
Introduction to information systems, Types of information Systems, Development of Information Systems, Introduction to information security, Need for Information security, Threats to Information Systems, Information Assurance, Cyber Security, and Security Risk Analysis.
UNIT-2
Application security (Database, E-mail and Internet), Data Security Considerations-Backups, Archival Storage and Disposal of Data, Security Technology-Firewall and VPNs, Intrusion Detection, Access Control.
Security Threats -Viruses, Worms, Trojan Horse, Bombs, Trapdoors, Spoofs, E-mail viruses, Macro viruses, Malicious Software, Network and Denial of Services Attack, Security Threats to E-Commerce- Electronic Payment System, e-Cash, Credit/Debit Cards. Digital Signature, public Key Cryptography.
UNIT-3
Developing Secure Information Systems, Application Development Security, Information Security Governance & Risk Management, Security Architecture & Design Security Issues in Hardware, Data Storage & Downloadable Devices, Physical Security of IT Assets, Access Control, CCTV and intrusion Detection Systems, Backup Security Measures.
UNIT-4
Security Policies, Why Policies should be developed, WWW policies, Email Security policies, Policy Review Process-Corporate policies-Sample Security Policies, Publishing and Notification Requirement of the Policies.
Information Security Standards-ISO, IT Act, Copyright Act, Patent Law, IPR. Cyber Laws in India; IT Act 2000 Provisions, Intellectual Property Law: Copy Right Law, Software License, Semiconductor Law and Patent Law.

Introduction to firewalls

A firewall is a hardware or software system that prevents unauthorized access to or from a network.

The firewall can be implemented in both hardware and software, or a combination of both.

Firewalls are frequently used to prevent unauthorized internet users from accessing private networks connected to the internet. All data entering or leaving the intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.